Add security policy to test run endpoints (#2096)

Fixes OPS-3882.

Author: MarceloRGonc

packages/server/api/src/app/file/file.controller.ts

@@ -2,8 +2,9 @@ import {
   FastifyPluginAsyncTypebox,
   Type,
 } from '@fastify/type-provider-typebox';
-import { PrincipalType } from '@openops/shared';
+import { Permission, PrincipalType } from '@openops/shared';
 import { StatusCodes } from 'http-status-codes';
+import { getProjectScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { fileService } from './file.service';
 
 export const fileController: FastifyPluginAsyncTypebox = async (app) => {
@@ -20,6 +21,10 @@ export const fileController: FastifyPluginAsyncTypebox = async (app) => {
 const GetFileRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.READ_RUN,
+    }),
   },
   schema: {
     operationId: 'Get File',

packages/server/api/src/app/flows/flow-run/flow-run-controller.ts

@@ -25,6 +25,7 @@ import {
   WebsocketClientEvent,
 } from '@openops/shared';
 import { StatusCodes } from 'http-status-codes';
+import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { flowRunRepo, flowRunService } from './flow-run-service';
 
 const DEFAULT_PAGING_LIMIT = 10;
@@ -142,6 +143,10 @@ const FlowRunFilteredWithNoSteps = Type.Omit(FlowRun, [
 const ListRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.READ_RUN,
+    }),
   },
   schema: {
     operationId: 'List Flow Runs',
@@ -159,6 +164,10 @@ const ListRequest = {
 const GetRequest = {
   config: {
     allowedPrincipals: [PrincipalType.SERVICE, PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.READ_RUN,
+    }),
   },
   schema: {
     operationId: 'Get Flow Run Details',
@@ -194,7 +203,10 @@ const ResumeFlowRunRequest = {
 const RetryFlowRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-    permission: Permission.RETRY_RUN,
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.RETRY_RUN,
+    }),
   },
   schema: {
     operationId: 'Retry Flow Run',
@@ -210,6 +222,10 @@ const RetryFlowRequest = {
 const StopFlowRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.TEST_RUN_FLOW,
+    }),
   },
   schema: {
     operationId: 'Stop Flow Run',

packages/server/api/src/app/flows/flow-run/flow-run-module.ts

@@ -17,8 +17,11 @@ const EXECUTION_DATA_RETENTION_DAYS = system.getNumberOrThrow(
 
 export const flowRunModule: FastifyPluginAsync = async (app) => {
   app.addHook('preSerialization', entitiesMustBeOwnedByCurrentProject);
+
   await app.register(controller, { prefix: '/v1/flow-runs' });
+
   await webhookResponseWatcher.init();
+
   systemJobHandlers.registerJobHandler(
     SystemJobName.LOGS_CLEANUP_TRIGGER,
     async () => {
@@ -67,6 +70,7 @@ export const flowRunModule: FastifyPluginAsync = async (app) => {
       );
     },
   );
+
   await systemJobsSchedule.upsertJob({
     job: {
       name: SystemJobName.LOGS_CLEANUP_TRIGGER,

packages/server/api/src/app/flows/test/test.controller.ts

@@ -5,10 +5,12 @@ import {
 } from '@fastify/type-provider-typebox';
 import {
   flowHelper,
+  Permission,
   PrincipalType,
   TestTriggerRequestBody,
 } from '@openops/shared';
 import { StatusCodes } from 'http-status-codes';
+import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { validateFlowVersionBelongsToProject } from '../common/flow-version-validation';
 import { flowRunService } from '../flow-run/flow-run-service';
 import { flowVersionService } from '../flow-version/flow-version.service';
@@ -119,6 +121,13 @@ export const testController: FastifyPluginAsyncTypebox = async (fastify) => {
 };
 
 const TestStepRequest = {
+  config: {
+    allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.TEST_STEP_FLOW,
+    }),
+  },
   schema: {
     description:
       'Test a workflow step with specified parameters. With this endpoint its possible to validate steps.',
@@ -144,6 +153,13 @@ const TestStepRequest = {
 };
 
 const TestWorkflowRequest = {
+  config: {
+    allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.TEST_RUN_FLOW,
+    }),
+  },
   schema: {
     description:
       'Start a test for a workflow using a defined workflow version. This endpoint starts a test run of the entire workflow.',
@@ -170,12 +186,16 @@ const TestWorkflowRequest = {
 };
 
 const TestTriggerRequest = {
+  config: {
+    allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.TEST_STEP_FLOW,
+    }),
+  },
   schema: {
     description:
       'Test a flow trigger with specified parameters. This endpoint allows users to validate and test flow triggers before deploying them to production, helping ensure proper configuration and behavior.',
     body: TestTriggerRequestBody,
   },
-  config: {
-    allowedPrincipals: [PrincipalType.USER],
-  },
 };

packages/server/api/src/app/webhooks/webhook-simulation/webhook-simulation-controller.ts

@@ -2,7 +2,8 @@ import {
   FastifyPluginCallbackTypebox,
   Type,
 } from '@fastify/type-provider-typebox';
-import { PrincipalType } from '@openops/shared';
+import { Permission, PrincipalType } from '@openops/shared';
+import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { webhookSimulationService } from './webhook-simulation-service';
 
 export const webhookSimulationController: FastifyPluginCallbackTypebox = (
@@ -46,6 +47,10 @@ export const webhookSimulationController: FastifyPluginCallbackTypebox = (
 const CreateWebhookSimulationRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.TEST_STEP_FLOW,
+    }),
   },
   schema: {
     body: Type.Object({
@@ -59,6 +64,10 @@ const CreateWebhookSimulationRequest = {
 const GetWebhookSimulationRequest = {
   config: {
     allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      permission: Permission.TEST_STEP_FLOW,
+    }),
   },
   schema: {
     querystring: Type.Object({